Players don't think developers take security seriously

While more than 80 per cent of players believe game developers should be responsible for securing players’ personal data, they have low confidence that’s actually being done, according to a recent survey of frequent game players.

Instead, they feel responsible for protecting themselves, and do so by submitting minimal or fake information when they purchase games.

At the same time, when considering what games to purchase, players ranked security much lower than more popular factors such as cost or gameplay experience, the survey found. And despite the series of security breaches that have hit the game industry in recent years, only 30 per cent of the players surveyed were aware of them.

This risks becoming a vicious circle where everyone “knows” that security is important, but keeps putting it low on the priority list. Game producers already under pressure to find room in the schedule for a new game mode, for example, might find it hard to justify finding the time to implement secure backend systems.

The PlayFab-sponsored survey polled 500 US residents who play games at least four hours a week and was conducted by SurveyMonkey in August 2015. More findings are available here.

Meanwhile, giving fake or minimal information isn’t a long-term strategy for players, either. Personally Identifiable Information (PII) is just one kind of player data that security breaches put at risk.

With the rise of online games, a player builds up a virtual vault of data such as leaderboard triumphs, achievements and ranking, and of course virtual currency and collectible items. When those get hacked, it can throw a game’s entire economy out of balance, or turn off potential spenders because they see leaderboards full of impossible scores. This kind of virtual data also has real value to players, for whom it represents an investment of time and energy.

Game developers who ignore security thus risk not only losing their players’ data, but their trust and their spending. While data security breaches are becoming more frequent across the entire Internet, the game industry should do what it always does, and be a technology leader. Here are five steps to get started...

5 key steps to securing your game

#1: Stop trusting client code

Assume that anything in your client code can be hacked – because it will be. Make sure that any data coming from the client is validated before it impacts the game state – either instantly for online games, or at next sync for games with offline modes.

For example, use bound checking to validate client-reported scores. If a particular level typically yields a maximum score of 20 XP over the course of 3 hours, the checker will flag a player who submits a score of 100 XP in 5 minutes.

#2: Use a secure protocol to send information

Bad things happen to games not using SSL or other secure communication protocols. Virtual accounts can be raided and players can be hijacked. Pillaging is only fun when it’s supposed to be part of the game.

#3: Do not collect or store financial data

If players can buy items or virtual currency with real money, use one of the many trusted third-party services available to handle the transaction. Apple, Google, and Steam will handle this for games on their platforms, but there are also other PCI-compliant payment processors available to integrate with, such as PayPal or Stripe.

#4: Be smart about receipt validation

If you don’t have receipt validation at all, your virtual economy is at the mercy of anyone who can spend 5 seconds googling “in-app purchases hack.” But as more games do use validation, the hackers have gotten smarter, so don’t just rely on a simple “is this receipt valid” check. You also want to check that the “valid” receipt is actually for your game, and for the item it claims to be.

#5: Backup your data and establish good retention policies

Make sure that any data storage that contains virtual goods is properly secured, replicated, and regularly backed up. Conduct a security audit to ensure you know where all Personally Identifiable Information (PII), such as names and email addresses, is stored. Privacy requirements differ by country, but at a minimum, make sure players can access and remove their PII, and that you have a policy for how long you store it.

If this sounds daunting, there are third-party backend solutions (including my company’s, PlayFab) that can handle the heavy lifting for you. Remember, your players are counting on you.

Matt Augustine is CTO and co-founder of PlayFab, a backend service to build, launch and grow live games. He created the PlayFab platform while at Uber Entertainment before it spun out, and continues to oversee all design and engineering of its core services. Prior to that he worked on several large-scale projects at Microsoft including docs.com, Live Mesh and the account system for Messenger and Hotmail.